For all of you savvy technologists and those well versed in the security realm many of these tips may be old hat but, based on many of my discussions with both personal and professional peers, I know that most, if not all, of these Best Common Practices (BCPs) are not exactly “common.”

Use non-trivial passwords – While most sites and applications now dictate requirements (lower/upper alphabetical, numerical, symbols, minimum length) for passwords, there are still those that rely on the user to utilize complex passwords. Password selection brings with it a challenging dichotomy – on one hand we are being told (and sometimes forced!) to use complex not-so-easy-to-guess passwords and on the other hand we are expected to be able to remember all of these passwords without writing them down and sticking them on our laptop! Check out Numeric Password Follies and Keep passwords safe and secure with password management for some information from previous Cisco Security Blog posts that may help you choose and manage your passwords more effectively.

And now that we have finally chosen an acceptable complex password, and we have been able to commit it to memory!, we now have to make sure we Change Our Passwords Regularly! You will find that many of your “more secure” sites implement a specific time frame, e.g., 30 or 60 days, after which time you _must_ change your password. For all those sites, applications, and situations in which this is not the case, it is HIGHLY recommended that you take the proactive approach and manually change your password regularly. It shouldn’t be that hard – just create a repeating reminder in your daily calendar to help you remember to change your passwords!

And while on the subject of passwords, here’s another recommended best practice! Don’t use the same password everywhere!!! Again, our minds can only contain so many passwords (in addition to everything we need to remember on a daily basis) and things like passwords probably fall to the bottom of our priorities, so use a password manager tool. Because we often take the easy way out and, once we’ve developed that very complex, non-trivial password that we discussed in our first tip, we hang on to it for dear life and use it EVERYWHERE! Bad move! There are few days that go by in the security world where we don’t come across a hack or data breach that was helped along the way by the fact that so many people use the same passwords for both personal and professional sites and applications. Several examples of these breaches can be found in these previous Cisco Security Blog posts: July, a Busy Month for Breaches, Compromised Accounts, Stepping Stones, and 6.5 million password hashes suggest a possible breach at LinkedIn.

If it looks like phish and “smells” like phish it probably is phish – Do NOT open emails that appear “phishy” – go directly to the known website of the supposed sender of the email. You should also be careful clicking links in emails from known contacts that do not have human-looking text from your friend. For example, be leery of emails which contain nothing but one URL/link or emails that start out with text such as “open this, it is funny.” Agree with your friend to send something he knows that will identify him when he sends a single link. For example ask him her to put in “I was born in XXX, July 1934″ or what team he supports.

Keep your operating system (OS) and application software up to date. Many OS vendors, e.g., Microsoft, provide automated means of updating software on a regular basis, so take advantage of this offering if your vendor provides it. It is certainly understandable that probably a great many of you have important devices and simply cannot take the chance with automated updates, but for those with less mission-critical concerns it is a worthwhile practice to use automatic software updates. The Cisco Security Intelligence Operations portal includes a section devoted to security alerts affecting both Cisco and non-Cisco products.

Have your “social engineering” guard up at all times. For many of us, the combination of our personalities and lack of time causes us to become more trustworthy and accepting all invitations – whether by email, phone call, or text – on their surface. What we need to do when working online is put on our “tinfoil hat” and simply not trust anyone! So, when you get that next email soliciting you to “click on the link” to resolve a banking dispute think twice, do NOT click on that link, and then log in directly to the website of your bank (or call them) and resolve that “issue” the proper way. Clicking on links sent to you via email or text could cause you to inadvertently and unknowingly provide login credentials and Personally Identifiable Information (PII) to the bad guys. Check out Levi Gundert’s recent post on how the loss (or theft) of PII can impact you.

While Anti Virus (AV) Software is certainly not a silver bullet and probably won’t stop some of today’s more complex threats, it is still a useful tool to have in our security toolbox both for our corporate and personal devices. Although most corporate IT departments push out updates regularly to our professional devices, we need to also ensure that the AV Software running on our home and personal devices is kept current and is regularly updated.

Understand the security measures that are available (and not available!) for social networking sites and applications. Many of you and your peers use some form of social networking – e.g., Twitter, Facebook, LinkedIn, etc. – and it is imperative that you are aware of what information gets shared and what mechanisms are available to you to restrict access to the data you want shared to only those people with whom you wish to share! You would probably be surprised to find out that the data that gets shared, both freely and inadvertently, is often leveraged for malfeasance such as phishing emails!

Who you gonna call? Know who and how to report any suspect network security incidents, i.e., phishing, spam, malware, DoS, etc. This recommendation may border on the nebulous but it is really important, whether you are on your personal device at home or on a corporate device, that you know that there are resources available should you come across activity, e.g., phishing emails, evidence of DDoS attack activities, etc., that you can contact to get assistance. This could be your ISP, your corporate IT department, Help Desk, Information Security (InfoSec) department, or even a friend or coworker.

Be vigilant and stay abreast of cyber security news! Regardless of your role and your technical acumen, find at least one source of security intelligence to monitor via RSS, email, Twitter, or by just directly visiting websites. Please visit the Cisco SIO portal, which includes a variety of information such as security alerts, blog posts, technical white papers, best common practices, and upcoming security conferences. Some additional recommended sources of this information include CERT, NANOG, Full Disclosure, Bugtraq, SANS Internet Storm Center (ISC), and Krebs on Security…..to name a few.

My call to action to all of you is to go out there and work together to make our cyber world just a little bit safer – one byte, one email, one phish, and one website at a time!

In the 20 years we’ve had to get used to the Internet, we’ve learned a lot about web security and our own role in keeping ourselves safe from the nastiest things out there. At the very least, most of us now recognize the need to install antivirus software on our computers and to keep that software updated.

When it comes to the other kinds of computers we use though – our ubiquitous smartphones and tablets – it’s a different story. According to a 2011 report by Canalys, just 4 percent of the smartphones and tablets shipped the previous year had some form of mobile security installed.

Everyone understands how important it is to batten down the security hatches at company headquarters. But in the haste to protect the network and devices that store a small company’s critical business data and host its key applications, remote offices are sometimes forgotten. You need to make sure remote offices are equally secured, with an eye toward handling a few challenges specific to a location far from headquarters.

Any place someone works outside of your main facility can be considered a remote office, whether that’s an employee’s spare bedroom or a rented suite in a different state. All remote offices share a few security risks: a connection to your network via the public Internet; personal devices used for work, such as laptops; and the potential for unauthorized access to your company’s computing assets, both the equipment and the data stored on it.

Every morning before I leave the house, I do a quick security check: Are the windows closed? Is the back door locked? Is the garage door down? I even take a quick look at the front door to make sure my husband hasn’t left his keys in the lock again.

Securing your small business might not be as simple as returning an errant set of keys to your forgetful partner, but it definitely starts with locking down all possible entry points; physical and virtual. You need to install security devices and software at every point on your network by which someone from the outside could gain access to your company data. For most small businesses, the first place to start is email security.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.